It’s hard to believe HeiseHeise.com has been on the Internet since May 2007 – I know, I have the bills from 1and1.com to prove it! Hard to believe I’ve been going to places like Jordan, China, and India and logging right into the admin page for the website through an HTTP connection – I might as well have been saying to the government-controlled ISP’s I was connecting through “please, take my username and password and store it for your later use!”
I might not have been nearly as technically minded a decade ago as I am now, but for the past half decade or so I’ve been wincing, or connecting to the UW’s VPN service, every time I’d log onto my website. But what else could I do? I only pay 1and1 about $3 a month for the most basic hosting plan I can get; for a long time it’s been essentially impossible to add a TLS certificate (or even the now-outdated SSL) onto shared hosting unless I had my own IP address, and no way in heck was going to pay that kind of money for a website which is basically one step above a public diary.
However, in September 2016 1and1 apparently relented and allowed all their hosting plans access to a free Symantec certificate (using SNI, a relatively new technology that allows shared sites to be able to use certificates), good for one domain (no subdomains). Thanks to this thread for showing me that while 1and1 wasn’t willing to allow 3rd party certificates on their servers (like the well known and amazing LetsEncrypt service), the final post on that page clued me into this new generosity. So yesterday, I pushed two buttons in the 1and1 admin panel to generate the new cert, then went into WordPress’s settings here on this site to change my URL from HTTP to HTTPS. Then….the site went down for the next 3-4 hours or so. Whoops. I mean, I wasn’t alarmed yet – I know it takes awhile for hosted websites to do stuff sometimes. I figured there was some sort of delay in linking the new Symantec certificate into my domain, or changing my shared hosting location from an HTTP section of 1and1 server’s to an HTTPS server (I noticed my IP address changed this morning). Then, it was a few modifications to my .htaccess file to permanently 301 redirect http://heiseheise.com to https://heiseheise.com (so from now on, you shouldn’t need to update your bookmarks; all visits to the unencrypted site will redirect here to the encrypted version) and that was that. My website gets an A rating from SSLlabs.com, and also points out that people visiting me from Internet Explorer on Windows XP won’t be able to see the website at all now (due to a lack of the aforementioned SNI technology). Good! Stop using Windows XP, people. Ugh.
But Zach, why am I still not seeing the green padlock on this site? Firefox shows me a padlock with a yellow exclamation point, and Chrome shows a circle with an “i” in it. Good question. It’s probably a combination of the plugins I use that might not support HTTPS yet, combined with the fact that all my actual blog entries until now are using HTTP for linking to the photos I host. I was hoping the htaccess modification would automatically rewrite the code on the fly but it looks like that’s too much to hope for. Perhaps I’ll go back and change the links in the blog entries to go to https, but considering that when you actually do click on the pictures they take you to the HTTPS version, I’m not overly worried. And besides, the main thing is that the admin pages of WordPress are now 100% secure (check out https://heiseheise.com/blog/wp-admin to see the green padlock we all know and love) so I’m no longer worried about my credentials getting hoovered up by any governments or ISP’s I might have to interact with over the course of my travels. Time to change those passwords, by the way!